Windows Server 2025: AD login problems after installing the April updates

Microsoft is once again admitting to problems with Windows updates. This time, Windows Server has been affected, which can cause authentication problems with "Windows Hello for Business" in Active Directory mode after installing the April Patchday security updates.

In the Windows Release Health Notes, Microsoft addresses the problems and describes a temporary countermeasure. After installing the April software patches, AD domain controllers may have problems processing Kerberos log-ons or delegating them with certificate-based credentials that rely on trusted keys using the Active Directory "msds-KeyCredentialLink" field. This can lead to authentication problems with "Windows Hello for Business" if the environment is configured to use trusted keys ("Key Trust") or if the environment relies on device public key authentication, also known as "Machine PKINIT".

Authentication problems: Apparently caused by Kerberos public key cryptography

This could also affect other products that rely on these functions. These include smart card authentication products, single sign-on solutions from third-party manufacturers and identity management systems. The affected protocols are Kerberos public key cryptography for initial authentication (Kerberos PKINIT) and certificate-based service-for-user delegation (S4U) using both Kerberos constrained delegation (KCD or A2D2 delegation) and Kerberos resource-based constrained delegation (RBKCD or A2DF delegation), Microsoft explains further. Home users are probably less likely to be affected, as DCs for authentication are more likely to be found in the business and enterprise environment.

This is triggered by protective measures for Kerberos authentication against the vulnerability CVE-2025-26647 / EUVD-2025-10222 (CVSS 8.8, risk "high") – an insufficient input check of Kerberos, which attackers from the network can abuse to extend their rights without prior authentication. Microsoft has compiled more detailed information on this in a support article.

This has changed the method used by DCs to check certificates that Kerberos uses for authentication. With the April updates, Windows checks whether a certificate is linked to a root in the NTAuth store. If the value of the registry entry "AllowNtAuthPolicyBypass" in the path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc" is not set, Windows assumes the value "1" by default. This can lead to two symptoms. Firstly, if the value of "AllowNtAuthPolicyBypass" is "1", the event ID 45 appears repeatedly in the system event log with a message of the type "The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store". Apart from the sometimes excessive log entries, however, this has no effect – the log-ons work.

The second symptom, on the other hand, can occur if "AllowNtAuthPolicyBypass" is set to "2" on the authenticating DC. User log-ons then fail and event ID 21 is also logged on the Kerberos key distribution center. The text message reads "The client certificate for the user is not valid and resulted in a failed smartcard logon".

Temporary countermeasure: reconfigure the registry key

As the problem only occurs if "AllowNtAuthPolicyBypass" has the value "2", admins should temporarily set this to "1". Microsoft is now aware of the problem and is working on a solution that will be distributed as soon as possible. Windows Server 2025, 2022, 2019 and 2016 are affected.

When update problems become known, Microsoft often works on automatic solutions. Around the end of April, Microsoft resolved issues with remote desktop sessions that have occurred in several cases since Windows Updates were installed earlier this year.

(dmk)